Hereinafter, a media independent handover (MIH) function will be described in brief.
The MIH function is a logical entity and assists a mobile station (MS) to determine handover. The MIH entity can be located in both a mobile station and a network, and allows information of establishment or status of an access network near the mobile station to be exchanged between the mobile station and the network. This information may occur in different protocol stacks of the mobile station or several network entities. For example, a media independent information service (MIIS) of the MIH entity provides a function that can access information of all kinds of networks. The function of the MIIS is performed in such a manner that report through technologies subject to media is received.
FIG. 1 is a diagram illustrating a protocol layer schematic view of a multi-mode mobile station, IEEE 802 based network, and 3GPP/3GPP2 network.
The multi-mode mobile station has interface per mode, which can be divided into a physical (PHY) layer and a medium access control (MAC) layer. The MIH entity is located below an upper layer including IP layer, and defines handover between IEEE 802 based interface and interface defined by 3GPP/3GPP2 as well as handover between IEEE 802 based interfaces. In other words, the MIH entity facilitates a handover procedure between heterogeneous networks by obtaining information of other networks from a second layer. Meanwhile, the MIH function may exchange MIH signaling using information of a third layer, such as user policy or configuration.
FIG. 2 is a flow chart illustrating an authentication procedure of a mobile station in IEEE 802.16 system according to the related art.
FIG. 2 relates to an authentication procedure currently in service, and illustrates a flow of a schematic message and a transmission type of information. However, messages, which include information transmitted to and received from the mobile station, a base station (MS), or an authentication server, may have various types.
Referring to FIG. 2, when the mobile station intends to enter the network, the mobile station acquires synchronization with the base station, performs ranging, and performs negotiation of initial performance with the base station through SBC-REQ/RSP messages (S201). In the step S201, the mobile station and the base station negotiate initial performance. At this time, an example of a message transmitted and received between the mobile station and the base station includes SBC-REQ/RSP message of Table 1.
TABLE 1 SBC-REQ/RSP{Mandatory parameter  Physical Parameters Supported  Bandwidth Allocation SupportOptional parameter  Capabilities for construction and transmission of MAC PDUs  PKM Flow Control  Authorization Policy Support  Maximum Number of Supported Security Association  Security Negotiation Parameters  HMAC-CMAC Tuple }
In Table 1, the SBC-REQ (Subscribe Station Basic Request) message is transmitted by the mobile station during initialization. The base station transmits the SBC-RSP (Subscribe Station Basic Response) message to the mobile station in response to the SBC-REQ message. The SBC-REQ/RSP messages are to negotiate basic capability between the mobile station and the base station.
Negotiation of basic capability is intended to report basic capability of the mobile station to the base station directly after ranging ends. In Table 1, the SBC-REQ/RSP messages include parameters that can optionally be included, in addition to necessarily required parameters. Among the parameters, those related to security association (SA) include an authorization policy support field and security negotiation parameters.
The authorization policy support field is one of fields included in the SBC-REQ/RSP messages, and specifies an authorization policy to be negotiated and synchronized between the mobile station and the base station. If the authorization policy support field is omitted, the mobile station and the base station should use IEEE 802.16 security having X.509 credential and RSA public key algorithm as an authorization policy. An example of the authorization policy support field is as illustrated in Table 2 below.
TABLE 2TypeLengthValueRegion1Bit #0: IEEE 802.16 Privacy SupportedSBC-REQ,Bits #1-7: Reserved, shall be set to zeroSBC-RSP
The security negotiation parameter field that can be included in Table 1 specifies whether to support security capabilities to be negotiated before initial authorization or reauthorization is performed.
Table 3 illustrates an example of the security negotiation parameter field.
TABLE 3TypeLengthNoteScope25variableThe Compound field contains theSBC-REQ,subattributes as defined in theSBC-SRPtable belowTypeLengthValue1Bit #0: RSA-Based Authorization at the Initial Network EntryBit #1: EAP-Based Authorization at Initial NetworkEntryBit #2: Authenticated EAP-based Authorization at theinitial Network EntryBit #3: Reserved, set to 0Bit #4: RSA-Based Authorization at ReentryBit #5: EAP-Based Authorization at ReentryBit #6: Authentiacted EAP-Based Authorization ReentryBit #7: reserved, shall be set to 0SubattributeNotePKM Version SupportVersion of Privacy Sublayer SupportedAuthorization Policy SupportAuthorization Policy to SupportMessage Authentication codeMessage Authentication Code toModeSupportPN Window sizeSize Capability of the Receiver PNWindow per SAID
Meanwhile, PKM Version Support field of Table 3 specifies PKM version. Namely, both the mobile station and the base station should negotiate only one PKM version. Table 4 illustrates an example of the PKM version support field.
TABLE 4TypeLengthValue25.11Bit #0: PKM Version 1Bit #1: PKM Version 2Bits #2-7: reserved value, set to 0
Referring to FIG. 2, the mobile station requests an authentication authorization accounting server (AAA server) to authenticate an extensible authentication protocol (EAP) through the base station. The AAA server performs authentication of a user through an EAP authentication method in response to the request of the mobile station (S202). An example of the EAP authentication method includes a method of using X.509 credential in case of EAP-TLS. Also, an example of the EAP authentication method includes a method of using a specific type credit credential such as a subscriber identity module (SIM) in case of EAP-SIM. However, an RSA authentication method, which uses an encryption algorithm based on a public key encryption, may be used in accordance with requirements of the system.
In the step S202, if authentication of the mobile station (or user) is successfully completed, the AAA server generates a master session key (MSK) through the EAP based authentication method. The AAA server transmits MSK to the base station (S203). The base station transmits the MSK received from the AAA server to the mobile station so as to share it with the mobile station (S204).
An authentication key (AK) can be generated in the mobile station and the base station using PMK (S205). Alternatively, the AK can be generated using MSK. The AK is used to generate a traffic encryption key (TEK) for communication between the mobile station and the base station.
The mobile station and the base station share TEK through 3-way handshaking (S206). The 3-way handshaking is performed through handshaking of three stages, such as SA-TEK challenge, SA-TEK request, and SA-TEK response. At this time, the TEK used to encode actual data is generated so that the mobile station and the base station share it.
The mobile station and the base station, which have generated the AK by performing the authentication procedure, share the TEK and then perform a network entry procedure (S207).
As described above, security association during handover between heterogeneous radio access networks is not disclosed in the mobile communication system according to the related art. For example, if the mobile station, which uses IEEE 802.16 network, performs handover for other radio access system, a method of establishing security association for the handover is not defined. Accordingly, the method of establishing security association for the handover is required.
Furthermore, handover between heterogeneous radio access networks of the multi-mode mobile station, which is defined in the IEEE 802.21 system according to the related art, defines that the mobile station should newly perform an authentication and encryption key acquisition procedure when performing second layer handover with a new network. However, in this case, it is expected that time delay will be caused when the user receives a service, and data loss may be caused. One of basic requirements of the IEEE 802.16m system is that the IEEE 802.16m system should access another radio access systems. Accordingly, when the mobile station performs handover for a heterogeneous radio access system not the IEEE 802.16 broadband radio access system, a method of establishing security association is required.